FR2840747A1 - Biometric access authentication method wherein each time access is required a fingerprint sample is compared with a stored encrypted reference with the new fingerprint sample forming a new reference after a positive comparison - Google Patents
Biometric access authentication method wherein each time access is required a fingerprint sample is compared with a stored encrypted reference with the new fingerprint sample forming a new reference after a positive comparison Download PDFInfo
- Publication number
- FR2840747A1 FR2840747A1 FR0207125A FR0207125A FR2840747A1 FR 2840747 A1 FR2840747 A1 FR 2840747A1 FR 0207125 A FR0207125 A FR 0207125A FR 0207125 A FR0207125 A FR 0207125A FR 2840747 A1 FR2840747 A1 FR 2840747A1
- Authority
- FR
- France
- Prior art keywords
- computer
- key
- new
- access
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00563—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys using personal physical data of the operator, e.g. finger prints, retinal images, voicepatterns
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/30—Individual registration on entry or exit not involving the use of a pass
- G07C9/32—Individual registration on entry or exit not involving the use of a pass in combination with an identity check
- G07C9/37—Individual registration on entry or exit not involving the use of a pass in combination with an identity check using biometric data, e.g. fingerprints, iris scans or voice recognition
Abstract
Description
saturable de type sans electrode.saturable type without electrode.
La presente invention concerne une signature electronique de l'utilisateur d'un ordinateur pour controler l'autorisation d'acces d'un certain utilisateur ou groupe d'utilisateur a un ordinateur, notamment pour effectuer des transactions, la signature electronique etant l'empreinte s biometrique de l'utilisateur et ltordinateur, equipe d'un capteur The present invention relates to an electronic signature of the user of a computer for controlling the authorization of access of a certain user or group of user to a computer, in particular for carrying out transactions, the electronic signature being the fingerprint. s user and computer biometric, equipped with a sensor
d'empreintes biometriques, est relic a un serveur. biometric fingerprints, is linked to a server.
Art anterieurPrior art
I1 existe de nombreux systemes de signature electronique. There are many electronic signature systems.
Le probleme de tous les systemes existants reside dans la securite plus ou o moins grande de ces systemes, d'autant plus qu'ils doivent tenir compte de la reglementation concernant la protection des informations confiden The problem of all existing systems lies in the greater or lesser security of these systems, especially since they must take into account the regulations concerning the protection of confidential information.
tielles relatives aux personnel qui doit etre contenue dans des fichiers. relating to personnel which must be contained in files.
La presente invention a pour but de developper un systeme de signature electronique, offrant des garanties de securite tres poussee pour l'acces a un ordinateur d'une personne autorisee en vue d'executer des transactions et qui soit egalement protege contre toutes les interven tions de piratage, susceptibles de recueillir des informations confidentiel The purpose of the present invention is to develop an electronic signature system, offering very high security guarantees for access to a computer of an authorized person in order to execute transactions and which is also protected against all intervention. hacking, likely to collect confidential information
les lors de ['execution de la transaction par l'intermediaire d'un reseau. during the execution of the transaction through a network.
Obet de ['invention o A cet effet, ['invention concerne une signature electronique du type defini ci-dessus caracterisee en ce que A) a la premiere utilisation protegee de l'ordinateur: - on saisit l'empreinte biometrique de l'utilisateur autorise avec le capteur biometrique associe a l'ordinateur, - on attribue un numero d'identification a l'utilisateur, - on analyse ltempreinte biometrique pour en determiner les parti cularites (minuties, points X, Y) et leur position relative dans un systeme de coordonnees pour former une reference, - on forme une cle de cryptage en appliquant un programme de cryptage a la reference, - on crypte la reference avec la cle de cryptage ainsi obtenue pour former la reference cryptee, - on efface l'empreinte saisie et la reference, - on stocke localement la reference cryptee avec le numero d'identification, on envole la cle au servour avec le numero d'identification, - on efface la cle dans l'ordinateur, B) lors d'un acces suivant a l'ordinateur: - on saisit l'empreinte biometrique, - on analyse ltempreinte et on forme un echantillon a ['aide du pro gramme d'analyse, - on envoie une requete de cle avec le numero d'identification au s servour, qui retourne la cle associee au numero d'identification, - on de crypte la reference cryptee enre gi stree lo calement avec la cle, - on compare l'echantillon a la reference decryptee: * si la comparaison est positive, l'autorisation d'acces est accor io de et on forme une nouvelle cle de cryptage transmise au ser veur sous le meme numero d'identification en remplacement de l'ancienne cle et avec cette nouvelle cle, on crypte ltechantillon qui devient une reference cryptee remplacO ant la reference precedente, * si la comparaison est negative, l'autorisation d'acces est refu see. La signature electronique selon ['invention a l'avantage de respecter le caractere confidential de ['information relative a la personne autorisee, c'est-a-dire son empreinte biometrique puisque cette informa o tion n'est pas conservee dans la memoire de l'ordinateur, ni a un autre endroit. Seules vent conservees d'une part, la cle de cryptage etablie a partir de ltempreinte biometrique et cette cle de cryptage ntest pas inscrite dans l'ordinateur dont l'acces doit etre autorise mais dans un servour et d'autre part, la reference cryptee enregistree localement soit dans :5 l'ordinateur soit de maniere indirecte sur un support risible par Object of the invention o To this end, the invention relates to an electronic signature of the type defined above, characterized in that A) at the first protected use of the computer: - the user's biometric fingerprint is entered authorized with the biometric sensor associated with the computer, - we assign an identification number to the user, - we analyze the biometric fingerprint to determine its particularities (minutiae, points X, Y) and their relative position in a system coordinates to form a reference, - we form an encryption key by applying an encryption program to the reference, - we encrypt the reference with the encryption key thus obtained to form the encrypted reference, - we delete the fingerprint entered and the reference, - we locally store the encrypted reference with the identification number, we send the key to the servour with the identification number, - we delete the key in the computer, B) during a subsequent access to l computer: - we know if the biometric fingerprint, - we analyze the fingerprint and we form a sample using the analysis program, - we send a request for a key with the identification number to the server, which returns the key associated with the number identification, - we encrypt the encrypted reference in gi stree lo cally with the key, - we compare the sample to the decrypted reference: * if the comparison is positive, the access authorization is accor io of and we forms a new encryption key transmitted to the server under the same identification number to replace the old key and with this new key, the sample is encrypted which becomes an encrypted reference replaced by the previous reference, * if the comparison is negative , the authorization of access is refused. The electronic signature according to the invention has the advantage of respecting the confidential nature of the information relating to the authorized person, that is to say his biometric fingerprint since this information is not kept in the memory of the computer, or somewhere else. Only wind kept on the one hand, the encryption key established from the biometric fingerprint and this encryption key is not registered in the computer whose access must be authorized but in a servour and on the other hand, the encrypted reference saved locally either in: 5 the computer or indirectly on a medium laughable by
l'ordinateur a ['aide d'un equipement peripherique. the computer using peripheral equipment.
Or, la cle de cryptage ntest pas utilisable seule. I1 en est de However, the encryption key cannot be used alone. There is
meme de la reference cryptee qui ne peut servir si elle n'est pas decryptee. even the encrypted reference which cannot be used if it is not decrypted.
La securite de s informations est done as suree par ltenregistrement sous forme d'informations complementaires (cle, reference cryptee) en des lieux Information security is therefore ensured by recording it in the form of additional information (key, encrypted reference) in places
differents et inutilisable isolement. different and unusable in isolation.
La cle de cryptage est unique car elle a ete obtenue a partir de l'empreinte biometrique ou plus exactement de la trace recueillie par un capteur d'empreintes biometriques. Cette trace, reproduit les particu ss larites de l'empreinte, par exemple dans la cas d'une empreinte digitale les arcs, boucles, volutes..., formant les minuties, c'est-a- dire les points parti culiers de l'empreinte tels que les points appeles points X et Y correspon dant au croisement ou a l'embranchement de nervures de l'empreinte The encryption key is unique because it was obtained from the biometric fingerprint or more precisely from the trace collected by a biometric fingerprint sensor. This trace, reproduces the particulars of the imprints, for example in the case of a fingerprint the arcs, loops, volutes ..., forming the minutiae, that is to say the particular points of the footprint such as the points called points X and Y corresponding to the crossing or to the junction of ribs of the footprint
digitale. Car meme si les points particuliers de l'empreinte vent inchan- digitalis. Because even if the particular points of the wind imprint remain unchanged
gees, leur position relative par rapport au capteur peut varier suivant la partie du doigt de l'utilisateur qui donnera ltempreinte et n'est jamais exactement la meme. De meme, la force avec laquelle l'utilisateur appuie son doigt et l'ecrase plus ou moins, modife la trace de l'empreinte digitale qui varie d'une operation de saisie a l'autre si bien que la position relative des minuties est differente. En effet suivant l'ecrasement plus ou moins important du doigt, l'ecartement relatif des minuties peut etre modifie gees, their relative position relative to the sensor can vary according to the part of the user's finger which will give the imprint and is never exactly the same. Likewise, the force with which the user presses his finger and more or less crushes it, modifies the trace of the fingerprint which varies from one capture operation to another so that the relative position of the minutiae is different. Indeed depending on the more or less significant crushing of the finger, the relative spacing of the minutiae can be modified
dans le sens de la largeur, de la longueur ou de maniere combinee. in the width, in the length or in a combined way.
o Ainsi apres avoir compare cette nouvelle empreinte sous sa forme analysee, appelee echantillon a la reference decryptee avec la cle de cryptage renvoyee par le serveur et appliquee a la reference cryptee enre gistree localement dans l'ordinateur ou sur un support risible par celuici, le programme verifie si la nouvelle empreinte peut etre consideree comme identique a l'ancienne. Cette nouvelle empreinte servira aussi a former une cle de cryptage integrant des elements aleatoires et cette cle de cryptage sera differente de la precedente cle de cryptage. Cette nouvelle cle de cryptage sera envoyee au servour sans laisser de trace dans l'ordinateur, pour y etre conservee jusqu'a la requete d'acces suivante. En meme temps, cette nouvelle cle de cryptage aura servi a crypter l'echantillon accepte comme o Thus after having compared this new fingerprint in its analyzed form, called sample to the reference decrypted with the encryption key returned by the server and applied to the encrypted reference recorded locally in the computer or on a medium laughable by it, the program checks if the new fingerprint can be considered identical to the old one. This new fingerprint will also be used to form an encryption key integrating random elements and this encryption key will be different from the previous encryption key. This new encryption key will be sent to the server without leaving a trace on the computer, to be kept there until the next access request. At the same time, this new encryption key will have been used to encrypt the sample accepted as
nouvelle reference de ltempreinte biometrique et qui sera enregistree loca- new biometric fingerprint reference which will be registered locally
lement comme reference cryptee avec le numero d'identifcation. Toutes les autres informations et donnees telles que l'empreinte saisie, la refe s rence (non cryptee), la cle de cryptage seront effacees. En meme temps, cette nouvelle cle de cryptage aura servi a crypter l'echantillon accepte Also as an encrypted reference with the identification number. All other information and data such as the fingerprint entered, the reference (not encrypted), the encryption key will be deleted. At the same time, this new encryption key will have been used to encrypt the accepted sample.
comme nouvelle reference de l'empreinte biometrique et qui sera enregis- as a new reference for the biometric print and which will be registered
tre localement comme reference cryptee avec le numero d'identification, toutes les autres informations et donnees telles que l'empreinte saisie, la be locally as an encrypted reference with the identification number, all other information and data such as the fingerprint entered, the
so reference (non cryptee), la cle de cryptage seront effacees de l'ordinateur. so reference (not encrypted), the encryption key will be deleted from the computer.
Ainsi a chaque demande d'autorisation d'acces a l'ordinateur, une nouvelle cle de cryptage est formee pour ['operation d'acces suivante, sans que cette cle de cryptage ne puisse se deduire d'une quelconque maniere de la cle precedente. La cle de cryptage reste enregis Thus each time an authorization request is made for access to the computer, a new encryption key is formed for the next access operation, without this encryption key being able to be deduced in any way from the previous key. . The encryption key remains saved
s5 tree dans le serveur jusqu'a ce qutelle soit remplacee par une nouvelle cle. s5 tree in the server until it is replaced by a new key.
On augmente ainsi de maniere considerable la securite de la signature puisque meme un piratage de l'ordinateur ne permet even tuellement d'obtenir que la cle utilisee et qui ne peut servir une deuxieme foist Suivant une autre caracteristique interessante, on stocke localement la reference cryptee dans l'ordinateur ou dans un support lisi We thus considerably increase the security of the signature since even a hacking of the computer only allows to obtain sometimes only the key used and which cannot serve a second time. According to another interesting characteristic, we locally store the encrypted reference in the computer or in a lisi support
s ble directement par l'ordinateur (carte a puce, une cle USB, un IBUTION) . directly by computer (smart card, USB key, IBUTION).
Les informations a stocker vent eventuellement compressees avant enre The information to be stored may be compressed before saving
gistrement; elles seront alors decompressees lors de la lecture. istration; they will then be decompressed during reading.
Suivant une autre caracteristique avantageuse, en cas de plusieurs utilisateurs autorises a l'acces de l'ordinateur, chacun est iden 0 tifie par un numero d'identification associe respectivement aux cles de According to another advantageous characteristic, in the case of several users authorized to access the computer, each is identified by an identification number associated respectively with the keys of
cryptage et aux references cryptees successives de chaque utilisateur. encryption and successive encrypted references of each user.
Ainsi, selon la procedure ci-dessus, le ou les utilisateurs autorises d'un meme ordinateur n'auront pas a connatre leur numero Thus, according to the above procedure, the authorized user (s) of the same computer will not have to know their number
d'identifcation ce qui augmente egalement la securite. identification which also increases security.
Suivant une autre caracteristique, les numeros d'identification NI(i) vent enregistres dans ltordinateur et, lors d'un acces par l'un des utilisateurs autorises, apres la saisie de son empreinte bio metrique EB, l'ordinateur utilise successivement les differents numeros d'identification NI(i) pour demander chaque fois la cle de cryptage associee au serveur; effectuer les controle avec cette cle de cryptage (decryptage, comparaison de la reference decryptee et de l'echantillon, formation d'une nouvelle cle de cryptage et d'une nouvelle reference cryptee et leur enre gistrement, effacement des anciennes references, anciennes cles de la re ference ayant servi au nouveau cryptage) ou refuser definitivement l'acces According to another characteristic, the identification numbers NI (i) are stored in the computer and, when accessed by one of the authorized users, after entering their bio-metric footprint EB, the computer successively uses the different NI identification numbers (i) to request each time the encryption key associated with the server; perform the checks with this encryption key (decryption, comparison of the encrypted reference and the sample, formation of a new encryption key and a new encrypted reference and their recording, deletion of the old references, old keys of the reference used for the new encryption) or definitively refuse access
2s si les differentes comparaisons ont toutes ete negatives. 2s if the different comparisons were all negative.
Ainsi, selon la procedure ci-dessus, le ou les utilisateurs autorises d'un meme ordinateur n'auront pas a connatre leur numero Thus, according to the above procedure, the authorized user (s) of the same computer will not have to know their number
d'identification, ce qui augmente egalement la securite. identification, which also increases security.
De facon avantageuse, au moment de la demande d'acces, l'ordinateur cree un jeton qui fait le tour du reseau pour ne permettre Advantageously, at the time of the access request, the computer creates a token which goes around the network so as not to allow
qu'une transaction.than a transaction.
L'utilisation d'un jeton modifie a chaque operation permet The use of a modified token at each operation allows
d'augmenter la securite de la signature electronique. increase the security of the electronic signature.
Ce jeton est un nombre aleatoire identifiant la transaction This token is a random number identifying the transaction
et modifie a chaque operation.and changes with each operation.
Dessins La presente invention sera decrite ci-apres de maniere plus detaillee a ['aide des dessins annexes dans lesquels: - la figure 1 montre un schema de ['installation selon ['invention, - la figure 2 montre un ordinogramme simplifie de l'etablissement des moyens de controle de la signature electronique selon ['invention, - la figure 3 est un ordinogramme simplifie de la procedure de controle Drawings The present invention will be described below in more detail with the aid of the annexed drawings in which: - Figure 1 shows a diagram of the installation according to the invention, - Figure 2 shows a simplified flowchart of the establishment of the electronic signature control means according to the invention, - Figure 3 is a simplified flowchart of the control procedure
s d'une demande d'acces a l'ordinateur protege. s a request for access to the protected computer.
Description de modes de realisationDescription of embodiments
Selon la fgure 1, ['invention concerne un procede de con trole d'une signature electronique destinee a permettre a un utilisateur autorise d'acceder a un ordinateur 1 pour effectuer des transactions ne lO cessitant une protection, comme par exemple des transactions commer According to figure 1, the invention relates to a method for checking an electronic signature intended to allow an authorized user to access a computer 1 to carry out transactions which do not cease protection, such as for example commercial transactions.
ciales, l'envoi d'un ordre de debit ou d'un montant d'argent. companies, sending a debit order or an amount of money.
Pour cela, selon ['invention, l'acces a l'ordinateur 1 est don ne seulement apres verification d'une empreinte biometrique de l'utilisateur autorise. Le controle est precede d'une premiere etape con is sistant a enregistrer dans l'ordinateur, la signature electronique du ou des utilisateurs qui seront autorises. Cette signature electronique est associee a une empreinte biometrique de chaque utilisateur par exemple son em preinte digitale. Ce n'est qu'apres ce premier enregistrement que le ou les utilisateurs pourront demander l'acces en fournissant a chaque fois leur empreinte biometrique seront etablis qui sera controlee en meme temps For this, according to the invention, access to the computer 1 is given only after verification of a biometric fingerprint of the authorized user. The control is preceded by a first step consisting of recording on the computer, the electronic signature of the user (s) who will be authorized. This electronic signature is associated with a biometric fingerprint of each user, for example his fingerprint. It is only after this first registration that the user (s) can request access by providing each time their biometric fingerprint will be established which will be checked at the same time.
que de nouveaux elements de controle (cle de cryptage, reference cryptee). new control elements (encryption key, encrypted reference).
La description suivante sera faite avec exemple de The following description will be made with example of
ltempreinte digitale.l fingerprint.
La figure 1 montre schematiquement les moyens de controle :5 d'une signature electronique associe a un ordinateur 1. L'ordinateur 1 est equipe d'un capteur d'empreintes biometriques 2 tel qu'un capteur d'empreintes digitales. Il traite l'empreinte ainsi saisie a ['aide d'un pro gramme d'analyse PRA pour en deduire des informations cryptees a ['aide d'un programme de cryptage PRC. Les informations permettront de con trdler l'autorisation d'acces d'un utilisateur au PC pour effectuer les transactions comme indique ci-dessus. Le systeme comprend egalement un serveur S auquel l'ordinateur accede par l'intermediaire d'un reseau R. Ce servour recoit la cle de cryptage etablie par le programme PRC a partir d'informations liees a la premiere saisie de ltempreinte biometrique. Le serveur fournit cette information en retour a la requete de l'ordinateur 1 et apres le contrdle de l'autorisation d'acces, l'utilisateur ensuite autorise peut effectuer des transactions avec un fournisseur Fi par l'intermediaire du reseau R. Le deroulement des differentes operations sera decrit ci apres de maniere plus detaillee a ['aide des ordinogrammes des figures 2 et 3. Ces operations de controle de l'identite d'utilisateur se de s roulent en deux etapes, une etape preliminaire consistent a enregistrer un utilisateur autorise et les etapes suivantes au cours desquelles FIG. 1 shows diagrammatically the means of control: 5 of an electronic signature associated with a computer 1. The computer 1 is equipped with a biometric fingerprint sensor 2 such as a fingerprint sensor. It processes the fingerprint thus captured using a PRA analysis program to deduce encrypted information from it using a PRC encryption program. The information will make it possible to control the authorization of access of a user to the PC to carry out the transactions as indicated above. The system also includes a server S to which the computer accesses via a network R. This server receives the encryption key established by the PRC program from information linked to the first entry of the biometric fingerprint. The server provides this information in return to the request from computer 1 and after the access authorization has been checked, the user then authorized can carry out transactions with a supplier Fi via the network R. different operations will be described below in more detail using the flowcharts of Figures 2 and 3. These operations of control of user identity are carried out in two stages, a preliminary stage consists in registering a user authorizes and the following stages during which
l'utilisateur demande l'acces a l'ordinateur. the user requests access to the computer.
L'etape preliminaire d'enregistrement de l'utilisateur ou des utilisateurs est representee schematiquement sous la forme d'un ordino lO gramme a la figure 2 et les operations de controle d'autorisation d'acces vent representees schematiquement par l'ordinogramme de la figure 3, The preliminary step of registering the user or users is represented diagrammatically in the form of an ordino 10 gram in FIG. 2 and the operations for controlling authorization of access are represented diagrammatically by the flow diagram of the figure 3,
completee par une partie de l'ordinogramme de la figure 2. supplemented by part of the flowchart in Figure 2.
Selon la figure 2, au cours de l'etape preliminaire on enre gistre un utilisateur autorise en effectuant d'abord sa prise d'empreinte s biometrique EB (100) par le capteur 2. Puis, l'empreinte ainsi saisie et analysee (101) avec un programme d'analyse PRA (102). Cette analyse consiste a determiner les particularites de la trace de ltempreinte biome trique EB. Dans le cas d'une empreinte digitale, examinee plus particulie rement ici, cette analyse consiste a determiner les minuties de la trace o (empreinte), ctest-a-dire les points particuliers de ltempreinte, tels que les According to FIG. 2, during the preliminary step an authorized user is recorded by first taking his biometric impression EB (100) by the sensor 2. Then, the impression thus captured and analyzed (101 ) with a PRA analysis program (102). This analysis consists in determining the peculiarities of the trace of the EB biometric imprint. In the case of a fingerprint, examined more particularly here, this analysis consists in determining the minutiae of the trace o (fingerprint), that is to say the particular points of the fingerprint, such as
points X, Y et leurs coordonnees relatives. points X, Y and their relative coordinates.
I1 convient de remarquer ici qu'il faut distinguer l'empreinte biometrique proprement cite telle que l'empreinte digitale, relativement abstraite et la trace de cette empreinte sur le capteur. Cette trace qui est s la surface de contact entre le doigt et la capteur. Cette trace ne represente qu'une partie de la totalite de l'empreinte digitale. Wile depend de la partie du doigt qui est appliquee sur le capteur et de la pression exercee sur le doigt, c'est-a-dire de l'ecrasement de la surface de contact entre le doigt et It should be noted here that a distinction must be made between the biometric fingerprint properly cited such as the relatively abstract fingerprint and the trace of this fingerprint on the sensor. This trace which is on the contact surface between the finger and the sensor. This trace represents only part of the totality of the fingerprint. Wile depends on the part of the finger which is applied to the sensor and the pressure exerted on the finger, i.e. the crushing of the contact surface between the finger and
le capteur.the sensor.
Cela signifie que la trace de l'empreinte biometrique (em preinte globale) n'est jamais la meme pour une meme personne car les points particuliers ou minuties contenus dans la trace peuvent differer suivant la surface appliquee. Leurs coordonnees relatives peuvent egale ment varier. Ces variations vent relativement faibles mais suffisantes pour 3s etre distinguees par le programme d'analyse et servir dans les conditions This means that the trace of the biometric imprint (global imprint) is never the same for the same person because the particular points or minutiae contained in the trace can differ depending on the surface applied. Their relative coordinates may also vary. These relatively small wind variations but sufficient to be distinguished by the analysis program and used in the conditions
qui seront vues ulterieurement.which will be seen later.
Le resultat de cette analyse est l'obtention d'un ensemble de donnees appele << reference RF,,. La premiere reference, c'est-a-dire celle associee a l'analyse de la premiere prise d'empreinte de l'utilisateur qui sera autorise, est appelee RF(0). Les references suivantes associees a cha que nouvelle prise d'empreinte de ce meme utilisateur autorise, seront ap pelees RF(1), RF(n), RF(n+l), En meme temps que le programme PRA analyse l'empreinte EB de l'utilisateur Ui, l'ordinateur etablit (103) un numero d'identification The result of this analysis is to obtain a set of data called "RF reference". The first reference, that is to say that associated with the analysis of the first impression of the user which will be authorized, is called RF (0). The following references associated with each new fingerprinting of this same user authorized, will be called RF (1), RF (n), RF (n + l), At the same time as the PRA program analyzes the EB footprint of user Ui, the computer establishes (103) an identification number
NI(i) attribue a cet utilisateur Ui. NI (i) assigns this user Ui.
Ensuite, a ['aide d'un programme PRC, l'ordinateur forme Then, using a PRC program, the computer trains
(104) une cle de cryptage CL(0) (105) a partir de la reference RF(0). (104) an encryption key CL (0) (105) from the reference RF (0).
o A ['aide de la cle de cryptage CL(0) et de la reference RF(0), ltordinateur crypte la reference, c' est-a- dire forme une reference cryptee o Using the encryption key CL (0) and the RF reference (0), the computer encrypts the reference, that is to say, forms an encrypted reference
RFC(0) (106)RFC (0) (106)
Cette reference cryptee RF(0) est stockee localement (107) soit dans l'ordinateur soit sur un support accessible a l'ordinateur tel This RF encrypted reference (0) is stored locally (107) either in the computer or on a medium accessible to the computer such
qu'une carte a puce qui s'introduit dans un lecteur lie a l'ordinateur. than a smart card that gets into a reader linked to the computer.
En meme temps que la reference cryptee RC(0) est enregis tree, la cle CL(0) est envoyee (108) au serveur S puis la cle CL(0) est effa At the same time as the encrypted reference RC (0) is saved tree, the key CL (0) is sent (108) to the server S then the key CL (0) is erased
cee (109) de ltordinateur.this (109) of the computer.
De meme, la reference RF(0) est effacee (110). Likewise, the RF reference (0) is deleted (110).
o La cle de cryptage CL(0) est envoyee au servour en meme temps que le numero d'identification NI(i). Ce numero est egalement asso o The encryption key CL (0) is sent to the servour together with the identification number NI (i). This number is also associated
cie a la reference cryptee RFC(0) enregistree localement. cie to the locally saved RFC (0) encrypted reference.
Ces operations terminent (113) cette etape preliminaire. These operations complete (113) this preliminary step.
L'ordinateur est maintenant pret pour recevoir une requete :5 d'acces par un utilisateur et pourra verifier si cet utilisateur est autorise a The computer is now ready to receive a request: 5 accesses by a user and can check if this user is authorized to
acceder a l'ordinateur.access the computer.
Le deroulement de ces operations est represente par l'ordinogramme de la figure 3 utilisant egalement des etapes de l'ordinogramme de la figure 2. Pour cette raison, les indices des designa so tion ont ete doubles; par exemple, l'indice O pour ['operation preliminaire est l'indice 1 pour ['operation suivante et ainsi de suite (n)et (n+l) Au cours d'une premiere etape (200), l'utilisateur fait pren dre son empreinte biometrique par le capteur 2. Cette empreinte est ana lysee par l'ordinateur (201) qui forme un echantillon ECH. Cet echantillon s5 correspond a ce qui, par ['operation d'analyse (101) de l'etape preliminaire, The flow of these operations is represented by the flowchart in Figure 3 also using steps from the flowchart in Figure 2. For this reason, the designations indices were double; for example, the index O for the preliminary operation is the index 1 for the next operation and so on (n) and (n + l) During a first step (200), the user does take its biometric print by sensor 2. This print is analyzed by the computer (201) which forms an ECH sample. This sample s5 corresponds to what, by the analysis operation (101) of the preliminary step,
a donne la reference.gave the reference.
L'echantillon ECH contient les points particuliers de The ECH sample contains the particular points of
l'empreinte biometrique et leur positionnement. the biometric footprint and their positioning.
L'ordinateur demande (202) egalement la cle au serveur S The computer also requests (202) the key from the server S
en lui adressant une requete avec le numero d'identification NI(i). by sending him a request with the identification number NI (i).
On suppose ici qu'il n'y a qutun seul numero dtidentifcation disponible dans l'ordinateur qui traite la demande d'acces. Le serveur S It is assumed here that there is only one identification number available on the computer which processes the access request. The server S
s repond en envoyant la cle CL(0) associee au numero d'identification NI(i). s is answered by sending the key CL (0) associated with the identification number NI (i).
Cette cle CL(0) est utilisee par ltordinateur et le programme This key CL (0) is used by the computer and the program
de cryptage PRC pour decrypter (203) la reference cryptee RFC(0) enregis- PRC encryption to decrypt (203) the RFC encrypted reference (0) saved
tree dans l'ordinateur et associee au numero d'identification NI(i). tree in the computer and associated with the NI (i) identification number.
Ensuite, l'ordinateur compare (204) ltechantillon ECH et la io reference decryptee RF(0). Cette comparaison (204) des deux ensembles d'informations se fait selon des criteres dependent de la nature de Next, the computer compares (204) the ECH sample and the decrypted RF reference (0). This comparison (204) of the two sets of information is made according to criteria depending on the nature of
l'empreinte biometrique. On considere que les informations vent equ*a- the biometric print. We consider that the information is equ * a-
lentes si l'echantillon, c' est-a-dire le s points particuliers de la nouvelle empreinte saisie, vent suffisamment proches des points particuliers de la slow if the sample, that is to say the particular points of the new fingerprint captured, is sufficiently close to the particular points of the
reference decryptee RF(0).RF decrypted reference (0).
Dans ['affirmative (205), l'acces est autorise (206) a l'ordinateur. En meme temps que l'acces est autorise, l'ordinateur forme (207) une nouvelle cle de cryptage CL(1) a partir de l'echantillon ECH avec le programme PRC. Dans cette operation, l'echantillon est considere If yes (205), access is allowed (206) to the computer. At the same time as access is authorized, the computer forms (207) a new encryption key CL (1) from the sample ECH with the program PRC. In this operation, the sample is considered
o comme la reference de l'empreinte saisie au point 200. o as the reference of the fingerprint entered in point 200.
On obtient ainsi une cle de cryptage CL(l, n+l). Cette cle de We thus obtain an encryption key CL (l, n + l). This key of
cryptage CL(l, n+l) est alors utilisee de facon analogue a ce qui a ete de- CL encryption (l, n + l) is then used in a manner analogous to what has been
crit a propos de la fgure 2 pour l'etape preliminaire, pour crypter la refe- written about figure 2 for the preliminary step, to encrypt the refe-
rence (ancien echantillon), c'est-a-dire la reference RF(1, n+l). La rence (old sample), ie the RF reference (1, n + l). The
:5 reference cryptee avec la cle de cryptage donne l'echantillon crypte, c'est- : 5 reference encrypted with the encryption key gives the encrypted sample, that is
a-dire la nouvelle reference cryptee RFC(l, n+l) qui est ensuite stockee ie the new RFC encrypted reference (l, n + l) which is then stored
localement. La nouvelle cle CL(l, n+l) est envoyee au serveur sous le nu- locally. The new CL key (l, n + l) is sent to the server under the number
mero d'identification NI(i), qui reste inchange. La nouvelle reference cryp- NI (i) identification mero, which remains unchanged. The new reference cryp-
tee RFC(l, n+l) est enregistree localement sous le numero tee RFC (l, n + l) is saved locally under the number
o d'identification NI(i).o NI (i) identification.
Comme precedemment, la cle de cryptage est effacee de As before, the encryption key is deleted from
l'ordinateur de meme que l'echantillon et la reference, senle restart enre- the computer as well as the sample and the reference, senle restart enre-
gistree localement la reference cryptee RFC(l, n+l) et son numero locally store the RFC encrypted reference (l, n + l) and its number
d'identification NI(i).NI (i) identification.
s La nouvelle cle de cryptage CL(l, n+l) est envoyee au ser veur pour remplacer la cle de cryptage precedente CL(0) associee au meme s The new CL encryption key (l, n + l) is sent to the server to replace the previous CL (0) encryption key associated with the same
numero d'identification NI(i).NI (i) identification number.
Pour les operations suivantes, lorsque l'utilisateur souhaite de nouveau acceder a l'ordinateur apres la fin de la session precedente, il For the following operations, when the user wishes to access the computer again after the end of the previous session, he
fait de nouveau saisir son empreinte biometrique (200). Celle-ci est analy- re-enter his biometric print (200). This is analyzed
see (201) pour donner un echantillon ECH et en meme temps une requete de cle de cryptage est adressee au serveur avec le numero d'identification NI(i). Apres reception de la cle de cryptage CL(1) du serveur S. l'ordinateur decrypte (203) la reference RFC(1) enregistree localement sous le numero d/identification NI(i). Cette reference decryptee RF(1) est alors utilisee pour see (201) to give an ECH sample and at the same time a request for an encryption key is sent to the server with the NI identification number (i). After reception of the encryption key CL (1) from the server S. the computer decrypts (203) the RFC reference (1) recorded locally under the identification number NI (i). This RF decrypted reference (1) is then used to
etre comparee (204) a l'echantillon ECH. be compared (204) to the ECH sample.
lO Si la reponse est positive (205), l'acces est autorise (206) et on forme (207 une nouvelle cle de cryptage CL(2, n+2) est formee. Cette cle est utilisee pour cryptee l'echantillon ECH, c'est-a-dire la nouvelle refe rence qui devient la reference cryptee RFC(2, n+2). Cette reference cryptee est enregistree localement touj ours sous le numero d /identification NI (i) et les autres informations vent de nouveau effacees de l'ordinateur en meme temps que la nouvelle cle CL(1) est envoyee au serveur sous le numero lO If the response is positive (205), access is authorized (206) and a new encryption key CL (2, n + 2) is formed (207). This key is used to encrypt the ECH sample, ie the new reference which becomes the RFC encrypted reference (2, n + 2) This encrypted reference is always saved locally under the identification number NI (i) and the other information is again erased from the computer at the same time as the new key CL (1) is sent to the server under the number
d/identification NI(i).d / NI identification (i).
Les operations se repetent comme cela a deja ete decrit a ['aide de la figure 2. Si la comparaison (204) donne un resultat negatif The operations are repeated as already described using FIG. 2. If the comparison (204) gives a negative result
(209), l'acces est interdit (210).(209), access is prohibited (210).
A chaque nouvelle demande d'acces, les operations decrites With each new access request, the operations described
ci-dessus se repetent. Cela peut se fire dans la description ci-dessus en above repeat themselves. This can be seen in the description above in
remplacO ant les indices 1, 2 par n, n+l. replacing indices 1, 2 by n, n + l.
Dans le cas ou plusieurs utilisateurs vent autorises pour s un meme ordinateur, la situation est tres voisine. Chaque utilisateur en registre son identite au cours d 'une etape preliminaire, ct e st- a- dire qutil fait saisir son empreinte biometrique pour obtenir un numero d'identification NI(i), une premiere cle de cryptage et une premiere refe In the case where several users are authorized for the same computer, the situation is very similar. Each user registers their identity during a preliminary step, that is to say that they enter their biometric fingerprint to obtain an NI identification number (i), a first encryption key and a first refe
rence cryptee puis les operations se repetent. rence encrypted then the operations are repeated.
A chaque utilisateur est associee necessairement une cle de cryptage et une reference cryptee, differentes a la fois parce que l'empreinte biometrique est differente et parce qu'a chaque nouvelle de mande d'acces autorisee, le systeme forme une nouvelle cle de cryptage et Each user is necessarily associated with an encryption key and an encrypted reference, different both because the biometric fingerprint is different and because with each new request for authorized access, the system forms a new encryption key and
une nouvelle reference cryptee.a new encrypted reference.
Selon une caracteristique de ['invention, les numeros d'identification NI(i) ne vent pas fournis aux utilisateurs mais restent en registres tels quels dans l'ordinateur sans etre associes directement a un According to a characteristic of the invention, the identification numbers NI (i) are not supplied to the users but remain in registers as they are on the computer without being associated directly with a
utilisateur, ctest-a-dire a un nom d'utilisateur. user, that is, has a user name.
Lors d'une demande d'acces d'un utilisateur Ui, celui-ci fait prendre son empreinte biometrique (200) puis l'ordinateur demande la cle During a request for access by a user Ui, the latter takes his biometric print (200) then the computer requests the key
de cryptage au serveur. Pour cela, ltordinateur utilise par exemple le pre- encryption to the server. For this, the computer uses for example the pre-
mier numero d'identification NI(1). Le serveur lui revole la cle de cryptage associee a ce numero d'identification. Puis l'ordinateur compare ltechantillon et la reference decryptee associee a ce numero d/identification mier NI identification number (1). The server hands over the encryption key associated with this identification number. Then the computer compares the sample and the decrypted reference associated with this identification number
NI(1). Si la comparaison montre qu'il y a identite (205), l'acces est autori- NI (1). If the comparison shows that there is identity (205), access is authorized.
se; une nouvelle cle de cryptage et une nouvelle reference cryptee vent formees dans les conditions deja decrites et elles remplacent les anciennes is; a new encryption key and a new encrypted reference wind formed under the conditions already described and they replace the old ones
o informations.o information.
Si la comparaison donne un resultat negatif (209), l'acces n'est pas automatiquement interdit mais ['operation reprend (211) avec un If the comparison gives a negative result (209), access is not automatically prohibited but the operation resumes (211) with a
autre numero d'identification NI(i), par exemple le numero NI(2), suivant. another NI (i) identification number, for example the following NI (2) number.
La requete de cle, la comparaison avec l'echantillon et les operations sui The key request, the comparison with the sample and the following operations
s vantes vent repetees avec cette nouvelle cle et la nouvelle reference de- s vantes wind repeated with this new key and the new reference de-
cryptee associee a ce numero d'identification NI(2). Si la comparaison est encrypted associated with this NI identification number (2). If the comparison is
positive, les operations s'arretent dans les conditions deja indiquees, c'est- positive, operations stop under the conditions already indicated, that is
a-dire que l'acces est autorise; une nouvelle cle de cryptage et une nou- to say that access is authorized; a new encryption key and a new
velle reference cryptee vent formees et enregistrees l'une dans le serveur, o l'autre localement. Si la reponse de la comparaison (204) est negative (209), ['operation se repete avec un autre numero d'identification NI(i), par velle reference encrypted wind formed and saved one in the server, or the other locally. If the comparison response (204) is negative (209), the operation is repeated with another NI identification number (i), for
exemple le numero suivant NJ(3) dans un ordre qui n'a pas d'importance. example the following number NJ (3) in an order which does not matter.
Les operations se repetent jusqu'a l'obtention d'une reponse positive (205) ou en cas de reponse negative pour tous les numeros The operations are repeated until a positive response is obtained (205) or in the event of a negative response for all the numbers.
s d'identification NI(i) et les cles de cryptage associees, l'acces est inter- s NI (i) identification and associated encryption keys, access is inter-
dit (210).says (210).
Les operations decrites ci-dessus peuvent etre protegees par un jeton emis a chaque demande d'acces et particularise a chaque foist Ce jeton est forme dans l'ordinateur et dans le serveur selon The operations described above can be protected by a token issued at each access request and specific to each foist This token is formed in the computer and in the server according to
so un algorithme identique pour permettre la reconnaissance du jeton. so an identical algorithm to allow the recognition of the token.
Claims (4)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0207125A FR2840747B1 (en) | 2002-06-11 | 2002-06-11 | ELECTRONIC SIGNATURE CONTROL METHOD FOR AUTHORIZING ACCESS TO A COMPUTER FOR THE EXECUTION OF A TRANSACTION |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0207125A FR2840747B1 (en) | 2002-06-11 | 2002-06-11 | ELECTRONIC SIGNATURE CONTROL METHOD FOR AUTHORIZING ACCESS TO A COMPUTER FOR THE EXECUTION OF A TRANSACTION |
Publications (2)
Publication Number | Publication Date |
---|---|
FR2840747A1 true FR2840747A1 (en) | 2003-12-12 |
FR2840747B1 FR2840747B1 (en) | 2004-10-15 |
Family
ID=29559108
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
FR0207125A Expired - Fee Related FR2840747B1 (en) | 2002-06-11 | 2002-06-11 | ELECTRONIC SIGNATURE CONTROL METHOD FOR AUTHORIZING ACCESS TO A COMPUTER FOR THE EXECUTION OF A TRANSACTION |
Country Status (1)
Country | Link |
---|---|
FR (1) | FR2840747B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1693774A3 (en) * | 2005-02-21 | 2006-09-06 | Hitachi-Omron Terminal Solutions, Corp. | Biometric authentication apparatus, terminal device and automatic transaction machine |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998050875A2 (en) * | 1997-05-09 | 1998-11-12 | Gte Government Systems Corporation | Biometric certificates |
US6035398A (en) * | 1997-11-14 | 2000-03-07 | Digitalpersona, Inc. | Cryptographic key generation using biometric data |
-
2002
- 2002-06-11 FR FR0207125A patent/FR2840747B1/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998050875A2 (en) * | 1997-05-09 | 1998-11-12 | Gte Government Systems Corporation | Biometric certificates |
US6035398A (en) * | 1997-11-14 | 2000-03-07 | Digitalpersona, Inc. | Cryptographic key generation using biometric data |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1693774A3 (en) * | 2005-02-21 | 2006-09-06 | Hitachi-Omron Terminal Solutions, Corp. | Biometric authentication apparatus, terminal device and automatic transaction machine |
Also Published As
Publication number | Publication date |
---|---|
FR2840747B1 (en) | 2004-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210334571A1 (en) | System for multiple algorithm processing of biometric data | |
CA2640915C (en) | Biometric authentication method, computer programme, authentication server, corresponding terminal and portable object | |
EP0253722B1 (en) | Method for diversifying a basic key and for authenticating a key worked out from a predetermined basic key and system for operation | |
US7840034B2 (en) | Method, system and program for authenticating a user by biometric information | |
EP0252849B1 (en) | Method for authenticating external authorization data by a portable object such as a memory card | |
US6851051B1 (en) | System and method for liveness authentication using an augmented challenge/response scheme | |
US7773779B2 (en) | Biometric systems | |
EP2502211B1 (en) | Method and system for automatically checking the authenticity of an identity document | |
BR112019009519A2 (en) | biometric transaction system | |
US20090262990A1 (en) | Apparatus and method for polynomial reconstruction in fuzzy vault system | |
FR2905187A1 (en) | BIOMETRIC ELECTRONIC PAYMENT TERMINAL AND TRANSACTION METHOD | |
JP2003216584A (en) | Secured identification with biometric data | |
CA2589223C (en) | Method for identifying a user by means of modified biometric characteristics and a database for carrying out said method | |
FR3006790A1 (en) | BIOMETRIC IDENTIFICATION METHOD | |
CN112600886B (en) | Privacy protection method, device and equipment with combination of end cloud and device | |
Chandrasekhar et al. | A noval method for cloud security and privacy using homomorphic encryption based on facial key templates | |
EP1266359B1 (en) | Biometric identification method, portable electronic device and electronic device acquiring biometric data therefor | |
FR2840747A1 (en) | Biometric access authentication method wherein each time access is required a fingerprint sample is compared with a stored encrypted reference with the new fingerprint sample forming a new reference after a positive comparison | |
EP0995172A1 (en) | Personal computer terminal capable of safely communicating with a computer equipment, and authenticating method used by said terminal | |
Islam et al. | Technology review: image enhancement, feature extraction and template protection of a fingerprint authentication system | |
FR2861482A1 (en) | Authentication biometric data securing method, involves personalizing stored general transformation function with user parameter, and applying personalized transformation function to authentication biometric data of user | |
EP1949305A1 (en) | Method for automatically recognising fingerprints | |
US20200175145A1 (en) | Biometric verification shared between a processor and a secure element | |
CA3205344A1 (en) | Method for checking individuals with simplified authentication | |
FR3088128A1 (en) | BIOMETRIC RECOGNITION METHOD AND DEVICE |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ST | Notification of lapse |
Effective date: 20070228 |